CentOS SSH Installation And Configuration

Author: Vivek Gite Last updated: February 13, 2020 16 comments

How do I install and configure ssh server and client under CentOS Linux operating systems? Can you explains CentOS SSH installation commands?

OpenSSH is a free and open source software for remote login and running commands on CentOS enterprise Linux server or desktop systems. In this tutorial, we will learn how to install ssh server/client and configure the same.

CentOS SSH Installation

You need to install the following packages (which are installed by default until and unless you removed it or skipped it while installing CentOS):

openssh-clients : The OpenSSH client applications
openssh-server : The OpenSSH server daemon

Let us see all steps in details.

OpenSSH Installations under CentOS Linux

To install the server and client type the following command as root user:
# yum -y install openssh-server openssh-clients

CentOS 6.x and older commands

Start the service:
# chkconfig sshd on # service sshd start
Make sure port 22 is opened:
# netstat -tulpn | grep :22

Firewall Settings For CentOS 6.x and older

Edit /etc/sysconfig/iptables (IPv4 firewall),
# vi /etc/sysconfig/iptables
Add the lines:

Replace RH-Firewall-1-INPUT with actual chains in your config file. See CentOS/Redhat (RHEL 6.x) tutorial page for more info.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
If you want to restict access to 192.168.1.0/24, edit it as follows:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
If your site uses IPv6, and you are editing ip6tables, use the line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
Save and close the file. Restart iptables:
# service iptables restart

CentOS 7.x/8.x and above commands

Enable and start the sshd service:
# systemctl enable sshd.service # systemctl start sshd.service
Verify that TCP port number 22 is in listing state using the ss command/netstat command along with the grep command:
ss -tulpn | grep ':22'
OR
ss -tulpn | grep ':22'
Open tcp port 22 using the firewall-cmd command # firewall-cmd --zone=public --add-service=ssh --permanent # firewall-cmd --reload

OpenSSH Server Configuration

Edit /etc/ssh/sshd_config, enter:
# vi /etc/ssh/sshd_config
To disable root logins, edit or add as follows:
PermitRootLogin no
Restrict login to user tom and jerry only over ssh:
AllowUsers tom jerry
Change ssh port i.e. run it on a non-standard port like 1235
Port 1235
Save and close the file. Restart sshd:
# service sshd restart ## centos 6.x ##
OR
# systemctl restart sshd.service ## centos 7.x/8.x ##

How to test ssh installation

Use the ssh command/scp command or sftp command as follows:
ssh user@your-server-ip ssh vivek@server1.cyberciti.biz ssh vivek@server1.cyberciti.biz uptime sftp server1.cyberciti.biz scp foo.gif vivek@ln.cbz01:/home/httpd/images

Conclusion

You learned how to install openssh server (sshd) and clients on CentOS Linux using the yum command. For more information please see the following tutorial:

Top 20 OpenSSH Server Best Security Practices

🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:

RSS feed or Weekly email newsletter
Share on Twitter • Facebook • 16 comments... add one ↓

Related Tutorials

Category	List of Unix and Linux commands
File Management	cat
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

16 comments… add one

Oyewumi Abayomi Jan 22, 2011 @ 6:47

THANKS A MILLION, MAY GOD BLEEEEEEEEEESSSSSSSSSSSSSSSSSSSS YOU.
YOU JUST SAVED MY LIFE.

MY HOSTING SERVER’S SSH WAS UNINSTALLED BY MISTAKE AND YOU JUST MADE THE SOLUTION CHEAP

THANKS AGAIN

Reply Link
Abraham Oct 6, 2011 @ 18:29

Thanks very much for this info.
This is very helpful.

God bless you guys.

Reply Link
Darr247 Dec 18, 2011 @ 5:38

There are a couple/few things I don’t get…
e.g. for

Make sure port 22 is opened:
# netstat -tulpn | grep :22

What are we *supposed* to see if port 22 *is* opened?

And for

Add the line
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

add it *where*???
In the :INPUT ACCEPT section?
in the :OUTPUT ACCEPT section?
after :COMMIT?

No matter which line I put it on, when I restart the iptables service I get a red [FAILED] message for that line#.

And then you change the SSH port to 1235 but don’t revisit iptables?

What am I missing here?

:-)

Reply Link
Boymix81 Feb 28, 2012 @ 21:20

Thanks a lot!

Only change :

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 22 -j ACCEPT

TO

-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 22 -j ACCEPT

Reply Link
- g3g3g3 Nov 27, 2014 @ 18:05
  
  thx a lot
  
  Reply Link
kuldeep thakur Mar 15, 2012 @ 7:49

Thanks a ton this info really very helpful for me.

Peace,
Kuldeep

Reply Link
Darr247 Mar 15, 2012 @ 23:15

So,
Make sure port 22 is opened:
# netstat -tulpn | grep :22

What are we *supposed* to see if port 22 *is* open?

Thanks.

Reply Link
- Paul Cupis Apr 22, 2012 @ 19:29
  
  If sshd is running. you would expect to see something like:
  
  # netstat -plunt | grep :22
  tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 70813/sshd
  tcp 0 0 :::22 :::* LISTEN 70813/sshd
  #
  
  If you do not get any output where the IP/port part ends in :22, then you have nothing listening on port 22 (the standard ssh port).
  
  Regards,
  
  Reply Link
BRAVE-MAN99 Jun 21, 2012 @ 15:07

God bliss you.
Simple way & perfect results.

Reply Link
rkrara Oct 7, 2012 @ 11:02

Hi,
Some thing is wrong.
Please help resolve it.
The line 13 is this:
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

Now when is restart iptables i get this error.

# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore: line 13 failed [FAILED]

Reply Link
pheng Nov 14, 2012 @ 14:18

change like this it will work…

-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

Reply Link
kyferez Jan 26, 2013 @ 18:04

You missed something important: If you alter SSH Port, your iptables line –dport needs to be the same as the port you specified, not 22!

So, if you set: Port 234, then your IP tables entry would be this:
-A INPUT -m state –state NEW -m tcp -p tcp –dport 234 -j ACCEPT

To verify your PROPER port is open, the command also needs to reflect the port you altered: netstat -tulpn | grep :234

Your results should look like this:
tcp 0 0 0.0.0.0:234 0.0.0.0:* LISTEN 26873/sshd
tcp 0 0 :::234 :::* LISTEN 26873/sshd

The author should not have suggested changing the port without explaining that the commands and IPTables entries would necessitate being altered as well.

Reply Link
- Kenny Mar 27, 2013 @ 16:30
  
  I should have read this comment about 30 minutes ago… lol I was however, able to figure it out on my own. I guess that’s a good thing. :o)
  
  Reply Link
Sagetbh Jun 6, 2013 @ 10:37

Thank you so MUCH!
This actually worked.
You are a blessing!

Reply Link
Wellington Torrejais da Silva Jun 24, 2014 @ 14:59

Thanks!!!

Reply Link
Rob Mar 15, 2016 @ 16:36

Any changes to iptables *** must *** be on lines above COMMIT, which is found at the end of the file.
Before adding the port (eg 22), do a search to see if it already exists:
nano iptables
Ctrl W to invoke search
type: dport 22

Reply Link